Things have rapidly escalated in the wake of Mobikwik’s repeated denials that the digital wallet and payments network firm had a massive breach. As DataBreaches.net reported on Sunday, more than 8 TB of data from the firm had been listed for sale on a popular forum, data that allegedly included KYC (Know Your Customer) data on 3.5 million consumers. And to prove the data were real, the seller created a portal where MobiKwik customers could input their information to see what MobiKwik had on file about them.
Despite the samples provided and confirmation by independent researchers that the data were real, MobiKwik gave DataBreaches.net a statement that there had been no breach, repeating a statement it had made on March 4, when it tried to claim that a “media-crazed researcher” had concocted files but that their systems were secure.
That “media-crazed researcher” would be Rajshekhar Rajaharia, who has found and reported a number of leaks and vulnerabilities. Raharia has responsibly notified Indian Cert of issues he finds. And in February, he publicly tweeted about MobiKwik (see thread). And he continued to tweet, trying to get MobiKwik to respond responsibly. For his efforts, he has been threatened legally and maligned.
For MobiKwik to try to claim that they are secure and this is all concocted by Rajaharia has drawn derision and anger from members of the public as well as security researchers. DataBreaches.net had immediately written back to MobiKwik to tell them that their claim that this was concocted by media-crazed researchers was not credible. DataBreaches.net had previously tweeted (from @Pogowasright account):
So to be clear: you are saying that you checked each record in the sample file and none of them correspond to real customer data or details? And you have no concern about the hacker just dumping the whole file, unredacted, because you say it is fake? Is that accurate?
— Dissent Doe, PhD (@PogoWasRight) March 4, 2021
MobiKwik had not responded to that tweet. Nor did they ever respond to this site’s email to them on Sunday telling them that their denials were simply not credible.
Things really blew up online, however, after well-known French security researcher Baptiste Robert sarcastically congratulated MobiKwik. Robert, or “Elliot Alderson” as he calls himself on Twitter, has a history of highlighting big breaches and leaks in India that Indian entities have tried to desperately deny. In this case, his tweet as @fs0c131y, now removed because it violated Twitter’s rules by linking to private information, had said, “Probably the largest KYC data leak in history. Congrats Mobikwik.
And with that, the Twitter floodgates opened. One consumer tweeted:
What the fuck is this @MobiKwik @MobiKwikSWAT
How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ?
Shut down your services.#shamemobikwik pic.twitter.com/yN7C1SoPHT— Aanjney Bhardwaj (@bhardwaj_anjney) March 29, 2021
What the fuck is this @MobiKwik @MobiKwikSWAT
How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ?
Shut down your services.#shamemobikwik pic.twitter.com/yN7C1SoPHT
There have been a flood of other confirmations and angry comments by people who also found their data — real data — exposed, while MobiKwik remains quiet and does not admit what appears obvious to the world.
Today, the “media-crazed researcher” (and DataBreaches.net suggests that Raj should consider trademarking that), tweeted that he had also reported a bug to MobiKwik that they had immediately addressed — and then they cheated him by not paying him the bug bounty.
My 1st March conversation With #Mobikwik after this serious data breach. I also reported a bug. They denied it too and removed that Bug in the next 1 hour. They saved their 1000 rupee bounty by denying it.#InfoSec #DataLeak #GDPR @sanjg2k1 @fs0c131y @troyhunt pic.twitter.com/pP0VRU0vqC
— Rajshekhar Rajaharia (@rajaharia) March 30, 2021
People watching this all unfold should keep in mind that MobiKwik has reportedly been planning for an IPO later this year. The very last thing they need or want right now is a massively expensive and embarrassing data breach that would make investors shy away. Is that what is the explanation — are they denying all this in the hopes that investors will not run away?
It is never appropriate to falsely accuse researchers of concocting a breach to try to cover one up. It is never appropriate to threaten to sue or criminally charge researchers for exposing your security failures and for trying to get you to be accountable to the public. If MobiKwik genuinely believes that there has been no breach, then let them hire a firm like Mandiant to investigate and agree in advance to make the firm’s findings public (as Accellion recently did following their breach). [Updated: it appears that they have indicated that they will hire a firm to investigate.]
Troy Hunt, owner of HaveIBeenPwned, sums this one up nicely:
Never *ever* behave like @MobiKwik has in this thread from 25 days ago. Try Googling “mobikwik data breach” now… https://t.co/L5E4xc1ey0
— Troy Hunt (@troyhunt) March 29, 2021
So what should happen now? Well, as a consumer advocate, this blogger would recommend that MobiKwik forget about the funding and IPO right now and do the right thing for the 100 million consumers who trusted them with their data.
And as to their threats of “strict legal action:” I and others stand with Rajshekhar Rajaharia. I’ve already been threatened — and actually charged in the past — in India for reporting on their leaks and breaches. Indian entities have for too long failed the public by not using reasonable security and then trying to lie their way out of transparent disclosure and mitigation. Trying to chill the speech of researchers and journalists will not serve the Indian public well.
For those who wish to know more, follow @rajaharia on Twitter and support his efforts to demand accountability and transparency. Speak up, people. And if he needs a legal defense fund, pitch in if you can.
And for those who want to read the forum posts and listings about the MobiKwik data for sale, the posts are on RaidForums.com. I usually do NOT link to posts or data dumps — to protect people’s data from more possible exposure or misuse– but since MobiKwik is refusing to help people, I will also post a link to the dark web portal where people can input their own phone number or information to see what MobiKwik’s database shows for them: [link deleted post-publication as the underlying data were removed]. You will need Tor browser to access the site. The portal is currently down at the time of this posting because so many people were trying to access it.
Here’s what the portal looked like yesterday (left) and this morning (right). This site had redacted the screencap to mask pictures of individuals that were displayed.
Of course, if MobiKwik admits to the breach and that the data are not “concocted,” then maybe the person who created the portal will take it down (they had indicated they would in a forum post update if MobiKwik admitted it was real). But remember that these data are still up for bulk sale by the individual, who listed an asking price of 1.5 btc (approximately $89,000.00 or 6,512,041.76 INR).
At this point, I might normally try to helpfully point you to how to delete your MobiKwik account if you have concerns, but it appears that deleting your account right now may not be possible?
Seems like that cannot be done either! @MobiKwikSWAT why I cannot delete my account, care to explain this please! pic.twitter.com/pnd33V2Xp8
— Jai Kumar Sharma (@ja1sharma) March 30, 2021
Updated 1:48 pm: A report today by TechCrunch indicates that they were given a copy of a leaked communication between a MobiKwik official and an Amazon representative last month to request AWS S3 access logs because
the startup “came to know that our S3 [cloud storage] data is downloaded by some other person outside the organization.”
Sounds to me like an admission that they knew they had a data security incident. But was this request last month related to the data currently being offered for sale, or was this perhaps an unrelated incident? There’s still a lot we don’t know, and MobiKwik’s lack of transparency is just keeping them in the news cycle, it seems.